enterprise security perception and the “house of security” september 6, 2006 professor stuart...
Post on 20-Dec-2015
224 views
TRANSCRIPT
Enterprise Security Perception and the
“House of Security” September 6, 2006
Professor Stuart Madnick {[email protected]}
Sloan School of ManagementMassachusetts Institute of Technology
Cambridge, MA Updated as of 10 Sep 2006© MIT, 2006
Copyright © 2006, MIT 2
Differing Perceptions
Picture of old lady or young lady ?
Perceptions are as important as “reality”(maybe more important)
Copyright © 2006, MIT 3
Good SecurityGood Security provides Accessibility to data
and networks to appropriate users while simultaneously protecting Confidentiality of data and minimizing Vulnerabilities to attacks and threats.
Good Security Practice goes beyond technical IT solutions. It is driven by a Business Strategy with associated Security Policies and Procedures implemented in a Culture of Security. These practices are supported by IT Resources and Financial Resources dedicated to Security.
Copyright © 2006, MIT 4
Security Constructs: “House of Security”
TechnologyResources
For Security
FinancialResources
ForSecurity
Business Strategy
ForSecurity
SecurityPolicy &
Procedures
SecurityCulture
Accessibility Confidentiality
Vulnerability
Assessment Perceptions: ExamplesWho gives lowest “assessment” of these security constructs? Executives Line Managers Professionals
Which is given highest “assessment” of the constructs? Own company? “Partner” company? About same?
Copyright © 2006, MIT 5
Purpose of Gap Analysis Gap Analysis is to understand Differences in Perceptions between:
(A) Security Status Assessment and Security Importance
(B) Views of diverse Security Stakeholders …within and across the Enterprise
Types of Gaps (examples)
Performance Gaps: Current Status v. Importance
Role Gaps: Business Managers v. IT staff
Rank Gaps: Executive v. Line Manager
Copyright © 2006, MIT 6
Purpose of Gap Analysis (cont.)
Gaps represent Opportunities for Improvement within the Enterprise and across the Extended Enterprise
(A) When Status is below the Needs, • Represent Areas for Improvement
(B) When Status among Stakeholders show differences, these represent areas for Investigating sources of the differences• Gaps may represent misunderstandings• Gaps may represent differences in local
knowledge and needs
Copyright © 2006, MIT 7
Gap Analysis Questionnaire
1. Questionnaire respondents are:• Diverse roles (e.g., IT, non-IT)• Diverse ranks (e.g., Line managers,
Executives)• Diverse companies and industries
2. Each respondent reports his/her view of
actual assessment and importance of
each question for both his/her
organization and a partner organization.
Copyright © 2006, MIT 8
Example Security Questions
Copyright © 2006, MIT 9
Evaluating Statistical Significance
“My organization” Gaps: significant @ 99.98%
Partner Gaps: significant @ 99.97%
Statistically Significant Instrument for Measuring Components of Security Perceptions
Copyright © 2006, MIT 10
Example Gap Analysis Findings – Different
Organizations
MA = Assessment of “My” organization (5.1)
MI = Importance for “My” organization (6.3)
Gap = difference between Assessment and Importance – for “My” organization (1.2)
Question 33: People are aware of good security practices.
MA Gap
MI
Observation: Big differences between companies.4 5 6 7
C om p I
C om p W
C om p X
M isc.
O verall
4 5 6 7
C om p I
C om p W
C om p X
M isc.
O verall4 5 6 7
C o m p I
C o m p W
C o m p X
M isc .
O v e r a l l
Copyright © 2006, MIT 11
5.14 0.45
5.07 0.74
4.5 5 5.5 6
My Partner
My Org
Example Gap Analysis Findings – Compared with Partner
Organization
Gap between Assessment and Importance – for “My” organization
Overall gap = 0.74
Gap between Assessment and Importance – for “Partner” organization
Overall gap = 0.45
Question 33: People are aware of good security practices.
General conclusion: - View partner as slightly “better” (5.14 v 5.07)
- But it is also much “less important” (5.59 v 5.81)
-> So Gap is much less (0.45 partner v 0.74 “my Organization”)
MA Gap
MI
PA
PI
Gap
Copyright © 2006, MIT 12
Dimensions of Security
TechnologyResources
For Security
FinancialResources
ForSecurity
Business Strategy
ForSecurity
SecurityPolicy &
Procedures
SecurityCulture
Accessibility Confidentiality
Vulnerability
“House of Security”
Copyright © 2006, MIT 13
Analysis of Construct Reliability and ValidityReliability - Cronbach's Alpha Values
MA MIAccessibility 0.90758 0.93701Vulnerability 0.83714 0.91012Confidentiality 0.91808 0.94026FinancialResources 0.91878 0.92768ITResources 0.91023 0.93680BusinessStrategy 0.86877 0.89343SecurityPolicy 0.92184 0.93834SecurityCulture 0.92188 0.94296
For good reliability, want Cronbach's Alpha Values to be >0.6, better if >0.7
Construct Validity - Convergent and Discriminant Validity
Accessibility Vulnerability ConfidentialityFinancial
ResourcesITResources
Business Strategy
Security Policy
Security Culture
Accessibility 0.96606 0.82730 0.86289 0.72385 0.81193 0.75817 0.75993 0.77299Vulnerability 0.82730 0.89537 0.85986 0.83791 0.88582 0.83439 0.85439 0.83308Confidentiality 0.86289 0.85986 0.97320 0.79234 0.86494 0.83070 0.85867 0.85271FinancialResources 0.72385 0.83791 0.79234 0.97366 0.88814 0.86196 0.86675 0.84406ITResources 0.81193 0.88582 0.86494 0.88814 0.96623 0.84474 0.87556 0.85137BusinessStrategy 0.75817 0.83439 0.83070 0.86196 0.84474 0.93056 0.88216 0.85515SecurityPolicy 0.75993 0.85439 0.85867 0.86675 0.87556 0.88216 0.97341 0.84505SecurityCulture 0.77299 0.83308 0.85271 0.84406 0.85137 0.85515 0.84505 0.96241
For good Convergent Validity, want diagonals >0.50For good Discriminant Validity, want all values in columns of each construct to be lower than the diagonals.
Reliability = produces consistent results
Validity = components are more correlated with others of that construct than another construct
- Convergent Validity – form a single construct- Discriminant Validity – not of another construct
Statistically Reliable & Valid Instrument for Measuring Perceptions of Security Constructs
Copyright © 2006, MIT 14
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
MA
MI
PA
PI
Average Construct Values
Observation: ‘My’ assessment = similar to assessment of Partner
My importance (MI)
My Assessment (MA)
Partner Assessment (PA)
‘My’ assessment: - Accessibility, Confidentiality highest - Culture, Policy, Financial, Strategy lowest
Partner importance (PI)
Observation: ‘My’ importance > importance of Partner
Copyright © 2006, MIT 15
0.0
0.2
0.4
0.6
0.8
1.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
|MI-MA|
|PA-MA|
|PI-MI|
|PI-PA|
Construct Gaps: Absolute Values
Largest Gap = .82 Smallest Gap = .33
Security Culture is a Major Concern
“My” GapBetweenAssessment &Importance
Partner Gap
Gap between“My” & Partner Importance
Gap between“My” & Partner Assessment(almost the same)
Copyright © 2006, MIT 16
Security Culture Questions• Security Practices
– In the organization, people are aware of good security practices. [q33; gap=.78]
– People in the organization are knowledgeable about IT security tools and practices. [q08; gap=.82]
– People in the organization carefully follow good security practices. [q14; gap=1.08] Largest gap!
• Ethics and Trust– People in the organization can be trusted not to
tamper with data and networks. [q21; gap=.69] – People in the organization can be trusted to engage in
ethical practices with data and networks. [q26; gap=.74]
Copyright © 2006, MIT 17
Company Assessment: Values
[194]
Observation: Some similarities.But many differences.
6 companies
Average ofAll respondents
Copyright © 2006, MIT 18
Company Assessment: Gaps
Small gaps:
Why are these guys so “happy”?
Large gaps: And these “not”?
[194]
- Can Benchmark Your Company Against “Average”- Can Monitor Changes in Your Company Over Time
Average
Copyright © 2006, MIT 19
A Closer Look
• Rank Gaps:
– e.g. Executives v. Professionals
• Role Gaps:
– e.g. Business Managers v. IT staff
• Industry Gaps:
– e.g. Healthcare v. Banking
Copyright © 2006, MIT 20
Executives have lowest assessment of security in general
Average Construct Values(MA by Roles)
4.5
5.0
5.5
6.0Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
Executives
Managers
Professionals
Customer Service
Others
Average Construct Values(MA by Ranks)
Copyright © 2006, MIT 21
Construct Gaps Absolute Values(MI-MA by Roles)
0.0
0.2
0.4
0.6
0.8
1.0
1.2
1.4
Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
Executives
Managers
Professionals
Customer Service
Others
Gaps Average 60% Greater for Executives
Executives
All Others
Construct Gaps(MI-MA by Ranks)
Copyright © 2006, MIT 22
4.5
5.0
5.5
6.0
6.5Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
Business Security PolicyIT SecurityIT, Not SecurityGeneral / Physical SecurityNot Security or IT
Those ‘Not in Security or IT’ Perceive Security as Less Important
Average Construct Values:Importance (MI by Roles)
Not in Security or IT
Various IT and Security Roles
Copyright © 2006, MIT 23
0.0
0.2
0.4
0.6
0.8
1.0
1.2Accessibility
Vulnerability
Confidentiality
Financial Resources
IT Resources
Business Strategy
Security Policy
Security Culture
Business Security Policy
IT Security
IT, Not Security
General / Physical Security
Not Security or IT
But Even Those ‘Not in Security or IT’ Still Perceive Significant Security Gaps
Construct Gaps(MI-MA by Roles)
Copyright © 2006, MIT 24
My Assessment of Security by Industry
4.4
4.6
4.8
5.0
5.2
5.4
5.6
5.8
6.0
6.2
6.4
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
Security Policy Security Culture
Security Constructs
As
se
ss
men
t R
ati
ng
Banking & Finance Tele/Communication Health & Social Assistance Manufacturing Retail Technology Services
Healthcare
Retail
Manufacturing
Healthcare, Retail, and Manufacturing are Industries with Lowest Construct Assessments
Copyright © 2006, MIT 25
Security Gaps by Industry
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
Security Policy Security Culture
Security Constructs
Co
ns
tru
ct G
aps
|MA
-MI|
Banking & Finance Tele/Communication Health & Social Assistance Manufacturing Retail Technology Services
Manufacturing
Healthcare
TechServices
Healthcare, Tech Services, and Manufacturing are Industries with Largest Gaps
Copyright © 2006, MIT 26
Gaps in Banking & Finance
5
5.2
5.4
5.6
5.8
6
6.2
Acces
sibilit
y
Vulner
abilit
y
Confiden
tiality
Financia
l Res
ourc
es
IT R
esour
ces
Busin
ess S
trate
gy
Securit
y Polic
y
Securit
y Cult
ure
Level of desired security
Level of current security practices
Gap in this industry
Even the Banking & Finance Industry has Sizable Gaps
Copyright © 2006, MIT 27
Summary of Key Findings1. Statistical instrument for measuring
perceptions of security– Can use to benchmark your company– Can monitor changes over time
2. ‘Security Culture’ is a major concern– Needs to be explicitly addressed
3. Healthcare, Retail, and Manufacturing have low assessments and sizable gaps
– Certain industries to focus on … but all need4. Executives have lowest assessments of
security and largest gaps5. Those ‘not Security or IT’ perceive security
less important, but still sizable gaps– Opportunity/need for communication
Copyright © 2006, MIT 28
“How Good is your Security?”
More analysis still underway
Stuart Madnick; T 617-253-6671; E-mail: [email protected] Summary: http://ebusiness.mit.edu/research/Briefs/Madnick_Siegel_Security_Brief.pdfTSQM Survey: http://web.mit.edu/surveys/tsqm/
It is well known in Consumer Behavior Research that
Perception Is Reality
• Your behavior is based on your perceptions
• We have combined that notion with the discipline of statistics to advance our understanding of Security
Copyright © 2006, MIT 29
Next steps:1. Larger-scale Gap Analysis Study
– More individual participants– More company-specific participation
2. Understand Reasons for Differences– More details on the “why?” and “so what?”– Detailed company-specific case studies
3. Determine Prescriptive actions– More education (what & how best?)– More security in specific areas– More appropriate security & training– Etc …
Copyright © 2006, MIT 30
FACULTY
• Yang Lee
• Stuart Madnick
• Michael Siegel
• Diane Strong
• Richard Wang
• Chrisy Yao
STUDENTS
• Wee Horng Ang
• Vicki Deng
• Desiree Rap
• Dinsha Mistree
• Venkataramana Thummisi
Acknowledgement:MIT TEAM
Copyright © 2006, MIT 31
Extra Slides
Copyright © 2006, MIT 32
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
SecurityPolicy
SecurityCulture
Security Construct
Ass
ess
me
nt
1-100
100-1K
1K-10K
10K-50K
50K-100K
100K +
Average Construct ValuesAssessment (MA by Company Size)
No. of Employees
Small Companies (1-100 and 100-1K)
Large Enterprises (100K+)
In general, theLarger the company,The Higher the Assessments
Copyright © 2006, MIT 33
4.0
4.5
5.0
5.5
6.0
6.5
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
SecurityPolicy
SecurityCulture
Security Construct
Ass
ess
me
nt
1-100
100-1K
1K-10K
10K-50K
50K-100K
100K +
Small Companies (1-100 and 100-1K)
Large Enterprises (100K+)
In general, theLarger the company,The Higher the Importance
Average Construct ValuesImportance (MI by Company Size)
No. of Employees
But, Mid-sized companies(1-10K & 10-50K) also hadHigh Importance levels
Copyright © 2006, MIT 34
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
Accessibility Vulnerability Confidentiality FinancialResources
IT Resources BusinessStrategy
SecurityPolicy
SecurityCulture
Security Construct
Ass
ess
me
nt
1-100
100-1K
1K-10K
10K-50K
50K-100K
100K +
But, Mid-Sized companies (1-10K &10-50K) also had large gapsLarge Enterprises
(100K+) lowest gaps
In general, theLarger the company,The Smaller the gaps
Small Companies (1-100 and 100-1K) large gaps
Construct Gaps(MI-MA by Company Size)
No. of Employees
Copyright © 2006, MIT 35
Vulnerability• [q01] The organization’s data and networks are rarely tampered
with by unauthorized access.• [q05] The organization has adequate safe guards against
internal and external threats to its data and networks. • [q19] The organization improves its security by learning from
previous attacks on its data and networks. • [q31] The organization has a rapid response team ready for
action when attacks occur.
Accessibility• [q04] The organization checks the identity of users before
allowing access to data and networks.• [q11] The organization’s data and networks are only available to
approved users.• [q30] The organization provides access to data and networks to
legitimate users.• [q34] The organization’s data and networks are usually available
when needed.
Copyright © 2006, MIT 36
Confidentiality• [q12] The organization has adequate policies for when and how
data can be shared.• [q18] The organization has adequate policies about user
identifications, passwords, and access privileges. • [q20] The organization protects privacy of personal data (for
example, customer data, data about employees)• [q32] The organization provides good protection of confidential
corporate data.
IT Resources• [q03] The organization has enough IT security specialists to
cover its security needs.• [q10] In the organization, the IT group takes security seriously.• [q13] The organization has adequate technology for supporting
security.• [q17] The organization uses its IT security resources effectively
to improve security.
Copyright © 2006, MIT 37
Financial Resources• [q09] In the organization, security funds are appropriately
distributed based on needs. • [q16] Security is a funding priority in the organization.• [q23] The organization has enough security personnel to cover
its security needs.• [q28] The organization makes good use of available funds for
security.
Business Strategy• [q02] The organization’s security strategy sets direction for its security
practices.• [q22] Security is a business agenda item for top executives in the
organization.• [q27] In the organization, business managers help set the security
strategy.• [q29] The organization’s security strategy is well-publicized in the
organization.
Copyright © 2006, MIT 38
Security Policy• [q07] The organization has policies for regularly scheduled security
audits.• [q15] The organization has a well-defined and communicated
security strategy. • [q24] The organization has well-defined policies and procedures for
data and network security. • [q25] The organization has procedures for detecting and punishing
security violations.
Security Culture• [q08] People in the organization are knowledgeable about IT security
tools and practices.• [q14] People in the organization carefully follow good security practices.• [q21] People in the organization can be trusted not to tamper with data
and networks.• [q26] People in the organization can be trusted to engage in ethical
practices with data and networks. • [q33] In the organization, people are aware of good security practices.